How to Reset A Windows Server 2008 Domain Password

I recently got a desperate call from a friend I helped to set up a domain running Windows server 2008. Apparently, something happened and nobody could log on to the server. My first thought was password expiration so I told them to just log on as domain admin and reset the passwords of the affected users.

Things got interesting when the next question was, “What is the password?”. Now, this was a year after the initial installation and I did not have the password – as a matter of principle, I encourage clients to change the initial password after an installation is completed so they have the assurance that I will not “sneak in”. They took my advise.

The problem now was, nobody knew what the password was. We gave it a few guesses and it became apparent that a reset of the domain admin password was needed. There are a few tools in the market, both free, commercial and pseudo-commercial tools (favorably called bait & switch “demo” software) that were very limited, to say the least, since most of these tools only allow you to reset the password of the local administrator, not the domain administrator’s password.

I came upon a solution that is beautiful in its simplicity. It turns out that the main tool for us is the Utilman program in Windows. Now be aware that you need physical access to the server and if you are like my friend Charles, the server is locked down tight, literally. He has his server bolted to the rack! Not only that, USB ports are disabled, there is no DVD/CD-ROM drive anywhere on the box and there is a BIOS and hard drive password, plus, the boot option is set to hard disk. You actually need a key to access the case. Nice.

So here:

  1. Boot up the server using the install DVD, or a Linux LiveCD. If you are using  the Windows server 2008 DVD, you want to use the “Repair your computer” option when setup starts.
  2. Gain access to the command line by doing the following
    1. rename the Utilman.exe file,  to Utilman.old or .bak
    2. Make a copy of Cmd.exe  and rename it Utilman.exe (if you are a domain admin, surely you would not embarrass yourself by asking me where Utilman.exe is located or how to rename or copy a file using the command line)
  3. Restart the server and press the superkey+U (that is, press the key with the Windows logo and the “U” key at the same time) at the login screen. This will bring up the command line window.
  4. Reset the domain admin password using the “NET USER” option (NET USER <admin account> <new password>
    (where admin account is whatever you renamed the administrator account to and password is the new password for the account. If you did not rename the administrator account, then it is NET USER administrator <new password>)
  5. Exit out of the command line and try logging in. That should do it.
  6. Reboot the server with the Windows Server 2008 DVD/LiveCD and undo the changes.

Note, if you decide to go the LiveCD route, your job is easier. Make sure your distro has ntfs-3g support built in and boot into the desktop. Access the NTFS drive, rename Utilman.exe. Then make a copy of Cmd.exe and rename the copy Utilman.exe. Reboot (don’t forget to remove the LiveCD when you reboot) and follow steps 3-6.

That’s about it.

It goes without saying that you should have/make a backup of your system before doing any of this, and more importantly, I bear absolutely no responsibility if you mess up your system. Then again, you are a domain admin, right?

Remember, we are not trying to access a box we have no business accessing in the first place – take the hint or risk going to jail.